packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secpaver/extend-check_ima-to-check-whether-gen_ima-is-right.patch

266 lines
9.9 KiB
Diff
Raw Normal View History

fix some bugs
2024-12-10 14:11:16 +08:00
From 3287a6ffcf77ac5d328994610dc40e267e800ba2 Mon Sep 17 00:00:00 2001
From: xucee <xuce10@h-partners.com>
Date: Thu, 5 Dec 2024 16:15:19 +0800
Subject: extend check_ima to check whether gen_ima is right.
---
secconf/check/check_ima | 181 +++++++++++++++++++++++++++++++++++-
secconf/gen/gen_ima | 10 +-
secconf/gen/gen_secure_boot | 2 +-
3 files changed, 184 insertions(+), 9 deletions(-)
diff --git a/secconf/check/check_ima b/secconf/check/check_ima
index cb5de0d..613d75e 100644
--- a/secconf/check/check_ima
+++ b/secconf/check/check_ima
@@ -1,9 +1,7 @@
ima_comm()
{
{{with .IMA}}
-{{ if and (eq (len .MeasureList) 0) (eq (len .AppraiseList) 0) }}
-echo "IMA is not enabled!"
-{{else}}
+
if [ ! -d /etc/ima/ ]; then
echo "The /etc/ima/ directory does not exist. Please confirm whether IMA is supported."
return 1
@@ -12,7 +10,184 @@ if [[ "$(getenforce)" == "Disabled" ]]; then
echo "IMA requires selinux to protect specific files. Please make sure selinux is enabled!"
return 1
fi
+
+measure_list=()
+appraise_list=()
+common_list=()
+
+{{range .AppraiseList}}
+appraise_list+=({{.}})
{{end}}
+
+{{range .MeasureList}}
+measure_list+=({{.}})
+{{end}}
+
+if [ -d /sys/firmware/efi ]; then
+ grub_path=/boot/efi/EFI/openeuler/grub.cfg
+else
+ grub_path=/boot/grub2/grub.cfg
+fi
+
+appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata")
+measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng")
+measure_type=ima_measure_bprm_t
+appraise_type=ima_appraise_bprm_t
+all_type=ima_all_bprm_t
+needReboot=false
+needConfigure=false
+
+check_exist_kernel_param()
+{
+ for param in "${@}"; do
+ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
+ if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then
+ needReboot=true
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+ needReboot=true
+ fi
+ done
+}
+
+check_absent_kernel_param()
+{
+ for param in "${@}"; do
+ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
+ if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
+ needReboot=true
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+ needReboot=true
+ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+ needConfigure=true
+ fi
+ done
+}
+
+if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+ check_absent_kernel_param "${appraise_param[@]}"
+ check_absent_kernel_param "${measure_param[@]}"
+elif [[ ${#appraise_list[@]} -gt 0 && ${#measure_list[@]} -gt 0 ]]; then
+ check_exist_kernel_param "${appraise_param[@]}"
+ check_exist_kernel_param "${measure_param[@]}"
+elif [[ ${#appraise_list[@]} -gt 0 ]]; then
+ check_absent_kernel_param "${measure_param[@]}"
+ check_exist_kernel_param "${appraise_param[@]}"
+else
+ check_absent_kernel_param "${appraise_param[@]}"
+ check_exist_kernel_param "${measure_param[@]}"
+fi
+
+if [[ "$needReboot" == "true" && "$needConfigure" == "true" ]]; then
+ echo "The current IMA related startup parameters are not configured correctly. Please execute the configuration script and then restart to take effect."
+ return 0
+elif [[ "$needReboot" == "true" && "$needConfigure" == "false" ]]; then
+ echo "The current IMA related startup parameters have been successfully configured. It needs to restart to take effect."
+ return 0
+elif [[ "$needReboot" == "false" && "$needConfigure" == "true" ]]; then
+ echo "The current IMA related start up parameters are valid. But they will become invalid after restarting. It needs to execute configuration script to configure."
+else
+ echo "The current IMA related start up parameters are valid and configured correctly!"
+fi
+
+if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+ echo "IMA check completed!"
+ return 0
+fi
+
+needSetSelinuxType=false
+check_selinux_type()
+{
+ SELINUX_LABEL=$(ls -Z "$2" | awk '{print $1}' | awk -F: '{print $3}')
+ if [[ $SELINUX_LABEL != "$1" ]]; then
+ needSetSelinuxType=true
+ fi
+}
+
+unique() {
+ echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' '
+}
+
+common_elements() {
+ comm -12 <(printf "%s\n" $1 | sort) <(printf "%s\n" $2 | sort)
+}
+
+remove_common() {
+ grep -Fvxf <(printf "%s\n" $2) <(printf "%s\n" $1)
+}
+
+unique_appraise_list=($(unique "${appraise_list[@]}"))
+unique_measure_list=($(unique "${measure_list[@]}"))
+common_list=($(common_elements "${unique_appraise_list[*]}" "${unique_measure_list[*]}"))
+appraise_list=($(remove_common "${unique_appraise_list[*]}" "${common_list[*]}"))
+measure_list=($(remove_common "${unique_measure_list[*]}" "${common_list[*]}"))
+
+
+for measure_file in "${measure_list[@]}"; do
+ check_selinux_type $measure_type $measure_file
+done
+
+for appraise_file in "${appraise_list[@]}"; do
+ check_selinux_type $appraise_type $appraise_file
+done
+
+for common_file in "${common_list[@]}"; do
+ check_selinux_type $all_type $common_file
+done
+
+if [[ $needSetSelinuxType == "true" ]]; then
+ echo "The selinux type of the target files is not configured correctly. Please execute the configuration script to set it."
+ return 0
+else
+ echo "The selinux type of the target files is configured correctly!"
+fi
+
+ima_policy=/sys/kernel/security/ima/policy
+
+if [ -z "$(cat $ima_policy)" ]; then
+ echo "IMA policy is not configured. Please execute the configuration script to configure it."
+ return 0
+fi
+
+needConfigurePolicy=false
+check_ima_policy(){
+ if ! grep -Fxq "$1" "$ima_policy"; then
+ needConfigurePolicy=true
+ fi
+}
+
+if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig"
+fi
+if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
+ check_ima_policy "measure func=DIGEST_LIST_CHECK"
+fi
+
+if [[ ${#common_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=BPRM_CHECK obj_type=${all_type}"
+ check_ima_policy "measure func=BPRM_CHECK obj_type=${all_type}"
+fi
+
+if [[ ${#measure_list[@]} -gt 0 ]]; then
+ check_ima_policy "measure func=BPRM_CHECK obj_type=${measure_type}"
+fi
+
+if [[ ${#appraise_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=BPRM_CHECK obj_type=${appraise_type}"
+fi
+
+if [[ "needConfigurePolicy" == "true" ]]; then
+ echo "IMA policy is not configured correctly! Please restart and execute the configuration script to configure it."
+ return 0
+else
+ echo "IMA policy are configured correctly! IMA has been successfully enabled"
+fi
+
echo "IMA check completed!"
{{end}}
}
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 28edbf3..e0cc3c4 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -32,7 +32,7 @@ rm_kernel_param()
{
for param in "${@}"; do
cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
sed -i "s/ \<${param}\>//g" ${grub_path}
needReboot=true
@@ -48,12 +48,12 @@ set_kernel_param()
{
for param in "${@}"; do
cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then
- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}"
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}"
needReboot=true
elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}"
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}"
elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
needReboot=true
fi
@@ -109,7 +109,7 @@ else
fi
if [[ $needReboot == "true" ]]; then
- echo "IMA startup parameters have been configured! It will take effect by rebooting"
+ echo "IMA startup parameters have been configured! It will take effect by rebooting."
return 0
fi
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index a1e0d36..9ace5e0 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -39,7 +39,7 @@ secure_boot_comm()
get_usr_input "Whether to enable the secure boot anti-rollback?【Y/N】"
if [ $? -eq 1 ]; then
mokutil --set-sbat-policy latest
- echo "The anti-rollback function has been set and will take effect after restarting."
+ echo "The anti-rollback function has been enabled and will take effect after enabling the secure boot."
fi
{{ else }}
get_usr_input "Whether to disable the secure boot anti-rollback【Y/N】"
--
2.33.0
Reference in New Issue Copy Permalink